0

I've installed Pure-FTPd on a Debian 10 machine that runs iptables with de default DROP policy for the INPUT chain. The OUTPUT chain is set to ACCEPT.

Problem: if I try to connect an FTP client it only works sometimes. It seems to randomly be able to list folders or fail. Usually retrying a new connection will work.

My Pure-FTPd is configured with these ports:

$ cat /etc/pure-ftpd/conf/Bind
85.xxx.xxx.xxx,57419

$ cat /etc/pure-ftpd/pure-ftpd.conf | grep Port
# Port range for passive connections - keep it as broad as possible.
PassivePortRange             30000 50000

To open the ports on the firewall I used:

iptables -A INPUT -p tcp --dport 57419 -j ACCEPT
iptables -A INPUT -p tcp --dport 30000:50000 -j ACCEPT

Logs on the server:

pure-ftpd]: (?@176.x.x.x) [INFO] New connection from 176.x.x.x
pure-ftpd]: (?@176.x.x.x) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
pure-ftpd]: (?@176.x.x.x) [INFO] testuser is now logged in
// no more output until the client retries a new connection

Now the FTP client will say it's listing for a while and then: enter image description here

Now, If I set the iptables INPUT chain to ACCEPT everything works fine, so it seems there's some port still blocked that Pure-FTPd randomly tries to use, how can I debug this / fix it?

Thank you.

TCB13
  • 1,066
  • 1
  • 13
  • 33

1 Answers1

0

I managed to track this to a configuration issue.

Apparently setting ports at /etc/pure-ftpd/pure-ftpd.conf isn't enough. With further analysis with ss -nap | grep pure I found out that pure was trying to use ports outside the ranges allowed in the firewall.

To fix this I just to create a file at /etc/pure-ftpd/conf/PassivePortRange and also set the port range there.

TCB13
  • 1,066
  • 1
  • 13
  • 33